1. 16 Mar, 2020 1 commit
    • Diego Fronza's avatar
      Added RPZ configuration option "nsdname-wait-recurse" · c786c578
      Diego Fronza authored
      This new option was added to fill a gap in RPZ configuration
      It was possible to instruct BIND wheter NSIP rewritting rules would
      apply or not, as long as the required data was already in cache or not,
      respectively, by means of the option nsip-wait-recurse.
      A value of yes (default) could incur a little processing cost, since
      BIND would need to recurse to find NS addresses in case they were not in
      the cache.
      This behavior could be changed by setting nsip-wait-recurse value to no,
      in which case BIND would promptly return some error code if the NS IP addresses
      data were not in cache, then BIND would start a recursive query
      in background, so future similar requests would have the required data
      (NS IPs) in cache, allowing BIND to apply NSIP rules accordingly.
      A similar feature wasn't available for NSDNAME triggers, so this commit
      adds the option nsdname-wait-recurse to fill this gap, as it was
      expected by couple BIND users.
  2. 06 Mar, 2020 1 commit
  3. 21 Feb, 2020 1 commit
  4. 14 Feb, 2020 1 commit
  5. 13 Feb, 2020 2 commits
    • Evan Hunt's avatar
      apply the modified style · e851ed0b
      Evan Hunt authored
    • Ondřej Surý's avatar
      Use clang-tidy to add curly braces around one-line statements · 056e133c
      Ondřej Surý authored
      The command used to reformat the files in this commit was:
      ./util/run-clang-tidy \
      	-clang-tidy-binary clang-tidy-11
      	-clang-apply-replacements-binary clang-apply-replacements-11 \
      	-checks=-*,readability-braces-around-statements \
      	-j 9 \
      	-fix \
      	-format \
      	-style=file \
      clang-format -i --style=format $(git ls-files '*.c' '*.h')
      uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h')
      clang-format -i --style=format $(git ls-files '*.c' '*.h')
  6. 12 Feb, 2020 1 commit
  7. 07 Feb, 2020 4 commits
  8. 06 Dec, 2019 1 commit
    • Matthijs Mekking's avatar
      Minor fixes in trust anchor code · eddac857
      Matthijs Mekking authored
      This commit makes some minor changes to the trust anchor code:
      1. Replace the undescriptive n1, n2 and n3 identifiers with slightly
         better rdata1, rdata2, and rdata3.
      2. Fix an occurrence where in the error log message a static number
         32 was printed, rather than the rdata3 length.
      3. Add a default case to the switch statement checking DS digest
         algorithms to catch unknown algorithms.
  9. 05 Dec, 2019 1 commit
  10. 15 Nov, 2019 1 commit
  11. 06 Nov, 2019 5 commits
    • Matthijs Mekking's avatar
      dnssec-policy inheritance from options/view · 5f464d15
      Matthijs Mekking authored
      'dnssec-policy' can now also be set on the options and view level and
      a zone that does not set 'dnssec-policy' explicitly will inherit it
      from the view or options level.
      This requires a new keyword to be introduced: 'none'.  If set to
      'none' the zone will not be DNSSEC maintained, in other words it will
      stay unsigned.  You can use this to break the inheritance.  Of course
      you can also break the inheritance by referring to a different
      The keywords 'default' and 'none' are not allowed when configuring
      your own dnssec-policy statement.
      Add appropriate tests for checking the configuration (checkconf)
      and add tests to the kasp system test to verify the inheritance
      Edit the kasp system test such that it can deal with unsigned zones
      and views (so setting a TSIG on the query).
    • Matthijs Mekking's avatar
      Use keywords in dnssec-policy keys configuration · 6468ffc3
      Matthijs Mekking authored
      Add keywords 'lifetime' and 'algorithm' to make the key configuration
      more clear.
    • Matthijs Mekking's avatar
      kasp: Expose more key timings · 1f0d6296
      Matthijs Mekking authored
      When doing rollover in a timely manner we need to have access to the
      relevant kasp configured durations.
      Most of these are simple get functions, but 'dns_kasp_signdelay'
      will calculate the maximum time that is needed with this policy to
      resign the complete zone (taking into account the refresh interval
      and signature validity).
      Introduce parent-propagation-delay, parent-registration-delay,
      parent-ds-ttl, zone-max-ttl, zone-propagation-delay.
    • Matthijs Mekking's avatar
      Introduce dnssec-policy configuration · a50d707f
      Matthijs Mekking authored
      This commit introduces the initial `dnssec-policy` configuration
      statement. It has an initial set of options to deal with signature
      and key maintenance.
      Add some checks to ensure that dnssec-policy is configured at the
      right locations, and that policies referenced to in zone statements
      actually exist.
      Add some checks that when a user adds the new `dnssec-policy`
      configuration, it will no longer contain existing DNSSEC
      configuration options.  Specifically: `inline-signing`,
      `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
      `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
      and `sig-validity-interval`.
      Test a good kasp configuration, and some bad configurations.
    • Matthijs Mekking's avatar
      Extend ttlval to accept ISO 8601 durations · b7c5bfb2
      Matthijs Mekking authored
      The ttlval configuration types are replaced by duration configuration
      types. The duration is an ISO 8601 duration that is going to be used
      for DNSSEC key timings such as key lifetimes, signature resign
      intervals and refresh periods, etc. But it is also still allowed to
      use the BIND ttlval ways of configuring intervals (number plus
      optional unit).
      A duration is stored as an array of 7 different time parts.
      A duration can either be expressed in weeks, or in a combination of
      the other datetime indicators.
      Add several unit tests to ensure the correct value is parsed given
      different string values.
  12. 01 Oct, 2019 1 commit
    • Ondřej Surý's avatar
      Various little fixes found by coccinelle · 288f5a4b
      Ondřej Surý authored
      The coccinellery repository provides many little semantic patches to fix common
      problems in the code.  The number of semantic patches in the coccinellery
      repository is high and most of the semantic patches apply only for Linux, so it
      doesn't make sense to run them on regular basis as the processing takes a lot of
      The list of issue found in BIND 9, by no means complete, includes:
      - double assignment to a variable
      - `continue` at the end of the loop
      - double checks for `NULL`
      - useless checks for `NULL` (cannot be `NULL`, because of earlier return)
      - using `0` instead of `NULL`
      - useless extra condition (`if (foo) return; if (!foo) { ...; }`)
      - removing & in front of static functions passed as arguments
  13. 12 Sep, 2019 1 commit
  14. 09 Aug, 2019 2 commits
    • Evan Hunt's avatar
      update docbook grammar, removing dnssec-looksaide · 02d95d0b
      Evan Hunt authored
      - this required modification to the code that generates grammar text for
        the documentation, because the "dnssec-lookaside" option spanned more
        than one line in doc/misc/options, so grepping out only the lines
        marked "// obsolete" didn't remove the whole option.  this commit adds
        an option to cfg_test to print named.conf clauses only if they don't
        have the obsolete, ancient, test-only, or not-yet-implemented flags
    • Evan Hunt's avatar
      mark 'dnssec-lookaside' obsolete in parser · 54de054d
      Evan Hunt authored
  15. 23 Jul, 2019 1 commit
  16. 21 Jul, 2019 2 commits
  17. 04 Jul, 2019 2 commits
  18. 27 Jun, 2019 1 commit
  19. 05 Jun, 2019 4 commits
    • Evan Hunt's avatar
    • Evan Hunt's avatar
      "dnssec-keys" is now a synonym for "managed-keys" · 821f041d
      Evan Hunt authored
      - managed-keys is now deprecated as well as trusted-keys, though
        it continues to work as a synonym for dnssec-keys
      - references to managed-keys have been updated throughout the code.
      - tests have been updated to use dnssec-keys format
      - also the trusted-keys entries have been removed from the generated
        bind.keys.h file and are no longer generated by bindkeys.pl.
    • Evan Hunt's avatar
      deprecate "trusted-keys" · 5ab25218
      Evan Hunt authored
      - trusted-keys is now flagged as deprecated, but still works
      - managed-keys can be used to configure permanent trust anchors by
        using the "static-key" keyword in place of "initial-key"
      - parser now uses an enum for static-key and initial-key keywords
    • Tony Finch's avatar
      Remove `cleaning-interval` remnants. · a9dca583
      Tony Finch authored
      Since 2008, the cleaning-interval timer has been documented as
      "effectively obsolete" and disabled in the default configuration with
      a comment saying "now meaningless".
      This change deletes all the code that implements the cleaning-interval
      timer, except for the config parser in whcih it is now explicitly
      marked as obsolete.
      I have verified (using the deletelru and deletettl cache stats) that
      named still cleans the cache after this change.
  20. 15 Mar, 2019 1 commit
  21. 08 Mar, 2019 1 commit
  22. 07 Mar, 2019 1 commit
  23. 31 Jan, 2019 1 commit
    • Evan Hunt's avatar
      Ancient named.conf options are now a fatal configuration error · ff3dace1
      Evan Hunt authored
      - options that were flagged as obsolete or not implemented in 9.0.0
        are now flagged as "ancient", and are a fatal error
      - the ARM has been updated to remove these, along with other
        obsolete descriptions of BIND 8 behavior
      - the log message for obsolete options explicitly recommends removal
  24. 07 Dec, 2018 1 commit
  25. 06 Dec, 2018 2 commits
    • Evan Hunt's avatar
      name change from "hook modules" to "plugins" · fd20f10d
      Evan Hunt authored
      - "hook" is now used only for hook points and hook actions
      - the "hook" statement in named.conf is now "plugin"
      - ns_module and ns_modlist are now ns_plugin and ns_plugins
      - ns_module_load is renamed ns_plugin_register
      - the mandatory functions in plugin modules (hook_register,
        hook_check, hook_version, hook_destroy) have been renamed
    • Evan Hunt's avatar
      add a parser to filter-aaaa.so and pass in the parameters · 9911c835
      Evan Hunt authored
      - make some cfg-parsing functions global so they can be run
        from filter-aaaa.so
      - add filter-aaaa options to the hook module's parser
      - mark filter-aaaa options in named.conf as obsolete, remove
        from named and checkconf, and update the filter-aaaa test not to
        use checkconf anymore
      - remove filter-aaaa-related struct members from dns_view